The Cybersecurity and Infrastructure Security Agency (CISA) has significantly expanded its Known Exploited Vulnerabilities (KEV) catalog in 2025, adding 47 new entries in response to an increasingly hostile cyber threat landscape. The catalog, a key component of federal efforts to reduce systemic risk, now includes critical vulnerabilities spanning a wide range of platforms and products currently under active exploitation. These additions underline the urgent need for robust vulnerability management practices, especially among federal enterprises and organizations in critical infrastructure sectors.
CISA’s KEV Catalog Expansion Reflects Active Exploitation Trends
The KEV catalog is not merely a list of theoretical risks—it tracks vulnerabilities with verified, in-the-wild exploitation. By including only those vulnerabilities that present real, present-day security threats, the catalog helps federal and private-sector organizations prioritize patching decisions based on actual attacker behavior.
High-Profile Additions Include Vulnerabilities in SharePoint, Google Chromium, and Cisco Devices
Among the newly listed vulnerabilities is an active zero-day in Microsoft SharePoint, which further illustrates how attackers continue to target critical collaboration platforms. Other notable vulnerabilities added to the KEV catalog throughout 2025 include flaws in widely used software and infrastructure products such as:
- Cisco Small Business RV Routers (CVE-2023-20118) : A command injection vulnerability actively exploited, particularly dangerous for small businesses dependent on these routers for network connectivity.
- Google Chromium ANGLE and GPU (CVE-2025-6558) : An improper input validation vulnerability in the rendering pipeline of Google’s browser technology, affecting web-based and enterprise applications alike.
- CrushFTP (CVE-2025-54309) : An unprotected alternate channel vulnerability with serious implications for secure file transfers.
- Progress WhatsUp Gold (CVE-2024-4885) : A path traversal vulnerability that can grant unauthorized access to sensitive resources.
Attackers Continue Leveraging Legacy Vulnerabilities
In addition to targeting newer technologies, adversaries are exploiting older vulnerabilities that remain unpatched across many environments. Some of these long-known issues resurfacing in active exploits include:
- PHPMailer Command Injection (CVE-2016-10033) : A well-documented flaw that allows remote code execution via specially crafted email headers.
- Rails Path Traversal (CVE-2019-5418) : This known Ruby on Rails weakness enables attackers to read arbitrary files from targeted servers.
- Microsoft Windows Win32k Elevation of Privilege (CVE-2018-9276, CVE-2018-19410) : These privilege escalation bugs have been historically exploited and are now resurfacing in modern campaigns.
- Apache OFBiz Forced Browsing (CVE-2024-45195) : Indicative of how unpatched legacy enterprise software remains a fertile ground for attackers.
These entries serve as a reminder that patching legacy software remains as critical as applying fixes to recent releases.
XML, SSRF, and Input Validation Flaws Dominate Exploit Trends
A closer look at the nature of the vulnerabilities in the 2025 KEV updates reveals consistent attacker interest in:
- Improper Input Validation : Seen in Google Chromium (CVE-2025-6558) and Windows kernel vulnerabilities, these flaws allow for everything from local privilege escalation to full system compromise.
- Server-Side Request Forgery (SSRF) : Zimbra’s SSRF vulnerability (CVE-2019-9621) highlights the persistent risk of attackers pivoting through trusted internal systems.
- XML External Entity (XXE) Vulnerabilities : Two separate flaws in SysAid’s on-premise deployment (CVE-2025-2775 and CVE-2025-2776) reflect the ongoing XXE risk in enterprise service management systems.
Systemic Risks for Federal and Critical Infrastructure Systems
CISA repeatedly emphasizes that these vulnerabilities pose a particular threat to federal enterprises and critical infrastructure operators. The broad diversity of products affected—ranging from enterprise management platforms to collaboration tools and network hardware—suggests attackers are capitalizing on any and every viable entry point.
“CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV catalog vulnerabilities as part of their vulnerability management practice.”
Security Teams Should Prioritize KEV-Based Patching Over CVSS Scores Alone
While Common Vulnerability Scoring System (CVSS) ratings provide a general risk assessment, the KEV catalog specifically identifies real-world exploitation. Therefore, CISA encourages organizations to prioritize KEV entries over scores in their day-to-day vulnerability management workflows.
Recommended Actions for Reducing Exposure
Security teams should implement the following steps to address the newly added vulnerabilities:
- Inventory Matching : Use asset management tools to identify systems running affected software or configurations.
- Apply Patches or Mitigations : Immediately deploy vendor-approved updates or temporary controls where patches are not yet available.
- Monitor Exploit Activity : Set up SIEM (Security Information and Event Management) alerts for indicators of compromise related to these vulnerabilities.
- Review Access Controls : Ensure proper segmentation and least-privilege settings to prevent lateral movement in case of initial compromise.
- Audit Legacy Systems : Allocate additional resources to patch or retire software platforms that contain known, actively exploited issues.
Looking Ahead: Security Implications for 2025 and Beyond
With attackers exploiting both newly discovered flaws and ancient CVEs dating back a decade, the 2025 KEV updates underscore that threat actors remain opportunistic and highly adaptable. The inclusion of SharePoint zero-days, Google Chromium weaknesses, and Microsoft’s Win32k flaws reiterates that both perimeter and internal systems are targets.
For security leaders and SOC analysts, the KEV catalog remains an operative guide—not just a reference. Prioritizing these known exploited vulnerabilities enables better risk reduction than wholesale patching strategies based solely on severity metrics or publication dates. As threat actors increasingly automate their tools and diversify their targets, defenders must rely on threat intelligence-backed assessments like those offered by CISA’s KEV catalog as an essential part of strategic cyber defense.
